Files
pnpm/lockfile/utils/tsconfig.json
Zoltan Kochan b8196b82d1 fix: require integrity for tarball-shaped lockfile resolutions (backport #11966 to v10) (#12007)
A tampered `pnpm-lock.yaml` that strips the `integrity` field from a
tarball resolution let the worker download the URL contents and mint a
fresh integrity from the unverified bytes. An attacker who could both
alter the lockfile (e.g. via a pull request that drops `integrity:`)
and serve modified content at the referenced tarball URL could install
a tampered package without any error — including under
`--frozen-lockfile`.

`pkgSnapshotToResolution` now fails closed at lockfile-read time with
`ERR_PNPM_MISSING_TARBALL_INTEGRITY` whenever a tarball-shaped
resolution (no `type` field — covers plain remote, registry-derived,
`file:`, and `gitHosted` entries) lacks integrity. Git-hosted
tarballs and `file:` tarballs remain exempt: the commit SHA in a
git-host URL and the user-controlled local path already anchor the
bytes.

The fix sits at the lockfile-read chokepoint every install path flows
through (deps-resolver, deps-restorer, graph-builder), so both
isolated and hoisted node-linkers are covered.

Credit to AutoFyn for finding and reporting the issue.
2026-05-28 00:44:13 +02:00

29 lines
456 B
JSON

{
"extends": "@pnpm/tsconfig",
"compilerOptions": {
"outDir": "lib",
"rootDir": "src"
},
"include": [
"src/**/*.ts",
"../../__typings__/**/*.d.ts"
],
"references": [
{
"path": "../../packages/dependency-path"
},
{
"path": "../../packages/error"
},
{
"path": "../../packages/types"
},
{
"path": "../../resolving/resolver-base"
},
{
"path": "../types"
}
]
}